cli: add configuration option to use or not use host netns

If `disable_new_netns` set to true, create VM and shim processes in the host netns Signed-off-by: Ruidong Cao <caoruidong@huawei.com>
2025-07-04 02:56:18 +00:00 · 2018-09-21 05:03:57 +08:00 · 2018-09-21 05:03:57 +08:00 · 14e5437cae
commit 14e5437cae
parent 6935279beb
8 changed files with 56 additions and 17 deletions
--- a/cli/config.go
+++ b/cli/config.go
@ -108,6 +108,7 @@ type proxy struct {
 type runtime struct {
 	Debug             bool   `toml:"enable_debug"`
 	Tracing           bool   `toml:"enable_tracing"`
+	DisableNewNetNs   bool   `toml:"disable_new_netns"`
 	InterNetworkModel string `toml:"internetworking_model"`
 }

@ -598,9 +599,7 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 		kataLog.Logger.Level = originalLoggerLevel
 	}

-	if tomlConf.Runtime.Tracing {
-		tracing = true
-	}
+	tracing = tomlConf.Runtime.Tracing

 	if tomlConf.Runtime.InterNetworkModel != "" {
 		err = config.InterNetworkModel.SetModel(tomlConf.Runtime.InterNetworkModel)
@ -626,6 +625,11 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 		return "", config, err
 	}

+	config.DisableNewNetNs = tomlConf.Runtime.DisableNewNetNs
+	if err := checkNetNsConfig(config); err != nil {
+		return "", config, err
+	}
+
 	// use no proxy if HypervisorConfig.UseVSock is true
 	if config.HypervisorConfig.UseVSock {
 		kataLog.Info("VSOCK supported, configure to not use proxy")
@ -640,6 +644,20 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 	return resolved, config, nil
 }

+// checkNetNsConfig performs sanity checks on disable_new_netns config.
+// Because it is an expert option and conflicts with some other common configs.
+func checkNetNsConfig(config oci.RuntimeConfig) error {
+	if config.DisableNewNetNs {
+		if config.NetmonConfig.Enable {
+			return fmt.Errorf("config disable_new_netns conflicts with enable_netmon")
+		}
+		if config.InterNetworkModel != vc.NetXConnectNoneModel {
+			return fmt.Errorf("config disable_new_netns only works with 'none' internetworking_model")
+		}
+	}
+	return nil
+}
+
 // checkHypervisorConfig performs basic "sanity checks" on the hypervisor
 // config.
 func checkHypervisorConfig(config vc.HypervisorConfig) error {
--- a/cli/config/configuration.toml.in
+++ b/cli/config/configuration.toml.in
@ -240,3 +240,13 @@ internetworking_model="@DEFNETWORKMODEL@"
 # (See https://www.jaegertracing.io/docs/getting-started).
 # (default: disabled)
 #enable_tracing = true
+
+# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
+# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
+# `disable_new_netns` conflicts with `enable_netmon`
+# `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only
+# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
+# (like OVS) directly.
+# If you are using docker, `disable_new_netns` only works with `docker run --net=none`
+# (default: false)
+#disable_new_netns = true
--- a/cli/kata-env.go
+++ b/cli/kata-env.go
@ -25,7 +25,7 @@ import (
 //
 // XXX: Increment for every change to the output format
 // (meaning any change to the EnvInfo type).
-const formatVersion = "1.0.18"
+const formatVersion = "1.0.19"

 // MetaInfo stores information on the format of the output itself
 type MetaInfo struct {
@ -62,10 +62,11 @@ type RuntimeConfigInfo struct {

 // RuntimeInfo stores runtime details.
 type RuntimeInfo struct {
-	Version RuntimeVersionInfo
-	Config  RuntimeConfigInfo
-	Debug   bool
-	Path    string
+	Version         RuntimeVersionInfo
+	Config          RuntimeConfigInfo
+	Debug           bool
+	DisableNewNetNs bool
+	Path            string
 }

 // RuntimeVersionInfo stores details of the runtime version
@ -171,10 +172,11 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo {
 	runtimePath, _ := os.Executable()

 	return RuntimeInfo{
-		Debug:   config.Debug,
-		Version: runtimeVersion,
-		Config:  runtimeConfig,
-		Path:    runtimePath,
+		Debug:           config.Debug,
+		Version:         runtimeVersion,
+		Config:          runtimeConfig,
+		Path:            runtimePath,
+		DisableNewNetNs: config.DisableNewNetNs,
 	}
 }

--- a/cli/network.go
+++ b/cli/network.go
@ -336,6 +336,11 @@ func hostNetworkingRequested(configNetNs string) (bool, error) {
 }

 func setupNetworkNamespace(config *vc.NetworkConfig) error {
+	if config.DisableNewNetNs {
+		kataLog.Info("DisableNewNetNs is on, shim and hypervisor are running in the host netns")
+		return nil
+	}
+
 	if config.NetNSPath == "" {
 		n, err := ns.NewNS()
 		if err != nil {
--- a/virtcontainers/default_network.go
+++ b/virtcontainers/default_network.go
@ -7,7 +7,6 @@ package virtcontainers

 import (
 	"context"
-	"fmt"

 	"github.com/containernetworking/plugins/pkg/ns"
 	opentracing "github.com/opentracing/opentracing-go"
@ -35,10 +34,6 @@ func (n *defNetwork) run(networkNSPath string, cb func() error) error {
 	span, _ := n.trace(context.Background(), "run")
 	defer span.Finish()

-	if networkNSPath == "" {
-		return fmt.Errorf("networkNSPath cannot be empty")
-	}
-
 	return doNetNS(networkNSPath, func(_ ns.NetNS) error {
 		return cb()
 	})
--- a/virtcontainers/network.go
+++ b/virtcontainers/network.go
@ -148,6 +148,7 @@ type NetworkInterfacePair struct {
 type NetworkConfig struct {
 	NetNSPath         string
 	NetNsCreated      bool
+	DisableNewNetNs   bool
 	NetmonConfig      NetmonConfig
 	InterworkingModel NetInterworkingModel
 }
--- a/virtcontainers/pkg/oci/utils.go
+++ b/virtcontainers/pkg/oci/utils.go
@ -121,6 +121,9 @@ type RuntimeConfig struct {
 	InterNetworkModel vc.NetInterworkingModel
 	FactoryConfig     FactoryConfig
 	Debug             bool
+
+	//Determines if create a netns for hypervisor process
+	DisableNewNetNs bool
 }

 // AddKernelParam allows the addition of new kernel parameters to an existing
@ -326,6 +329,7 @@ func networkConfig(ocispec CompatOCISpec, config RuntimeConfig) (vc.NetworkConfi
 		}
 	}
 	netConf.InterworkingModel = config.InterNetworkModel
+	netConf.DisableNewNetNs = config.DisableNewNetNs

 	netConf.NetmonConfig = vc.NetmonConfig{
 		Path:   config.NetmonConfig.Path,
--- a/virtcontainers/sandbox.go
+++ b/virtcontainers/sandbox.go
@ -1021,6 +1021,10 @@ func (s *Sandbox) startNetworkMonitor() error {
 }

 func (s *Sandbox) createNetwork() error {
+	if s.config.NetworkConfig.DisableNewNetNs {
+		return nil
+	}
+
 	span, _ := s.trace("createNetwork")
 	defer span.Finish()